Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Appreciating Contradications: The Cyberpsychology of Information Security


Published on

Information security is at a critical juncture. How do we solve the weakest link - human psychology? Insight from cyberpsychology into leadership, power and persuasion are essential. These slides are from Dr Ciarán Mc Mahon's keynote at (ISC)² Security Congress EMEA, Sofitel Munich, October 2015

Published in: Technology
  • Login to see the comments

  • Be the first to like this

Appreciating Contradications: The Cyberpsychology of Information Security

  1. 1. The cyberpsychology of information security Dr Ciarán Mc Mahon Appreciating contradictions #ISC2CONGRESSEMEA @CJAMCMAHON
  2. 2. Today’s talk • InfoSec in 2015 • Key concepts from cyberpsychology • Leaderless authority • Information security consciousness
  3. 3. PWC The Global State of Information Security Survey 2015
  4. 4. Information Age - http://www.information- security-shows-its-human-side
  5. 5. Grant Forks Herald security-professionals-say-employees-are-biggest-threat-network- security
  6. 6. Databarracks Data Health Check -
  7. 7. Clearswift - _your_employees_price_infographic.pdf
  8. 8. CIO -
  9. 9. How much longer are we going to go around in circles about the psychology of information security? Photo by Viktor Hanacek
  10. 10. • Cyberpsychology is an emerging discipline which involves the study of the human mind and behaviour in the context of information communication technology. It represents an incredibly valuable source of insight into information security behaviour. • Photo from Project Apollo Archive
  11. 11. • Presence • The internet is designed to make communication effortless, so we should feel totally immersed in it. • A major goal for all ICT engineers is to ensure that users of their technology are totally unaware of all of the computations and calculations that are going on behind the scenes (Lombard & Ditton, 1997). • Users act like ICT is invisible - “for mediated exchange to work as interpersonal communication, there must be tacit agreement that the participants will proceed as though they are communicating face to face” (Cathcart and Gumpert, 1986, p. 116) • Cathcart, R., & Gumpert, G. (1986). The person-computer interaction: A unique source. In B. D. Ruben (Ed.), Information and behavior (vo.l 1) (pp. 113–124). New Brunswick, NJ: Transaction Publishers. • Lombard, M., Ditton, T., & Media, M. (1997). At the heart of it all: The concept of presence. Journal of Computer-Mediated Communication, 3(2), 1– 23. • Photo from
  12. 12. •• LurkingLurking • Anywhere up to 90% of the visitors to any online forum will read everything, will be invisible and will not participate to any meaningful or noticeable degree (Nonnecke, East, & Preece, 2001). • Consequently it is very likely that when an employee is online: they may assume that the only ones who they can see talking to them are the only ones who are present. This is where insider threats slip up – they don’t think anyone can see them. • Nonnecke, B., East, K. S., & Preece, J. (2001). Why lurkers lurk. In Americas Conference on Information Systems (pp. 1–10). • Photo from
  13. 13. • Self-disclosure • When online, people are more likely to reveal personal information. • People tend to reveal most personal information online when they are in certain conditions (Joinson, 2001), namely heightened private self-awareness and reduced public self-awareness. • In other words, when someone is focussing on themselves, their person and body, and feels anonymous and unseen, they are likely to reveal information about themselves that they would not in a face-to-face context. • Self-disclosure of this kind likely a critical factor in cyberbullying - it’s also a pretty useful tool in honeypot operations. • Joinson, A. N. (2001). Self-disclosure in computer-mediated communication: The role of self-awareness and visual anonymity. European Journal of Psychological Assessment, 31, 177–192. • Photo from
  14. 14. • Online disinhibition • When online, people loosen up, feel less restrained, and express themselves more openly • Everyday users on the Internet—as well as clinicians and researchers have noted how people say and do things in cyberspace that they wouldn’t ordinarily say and do in the face-to-face world. They loosen up, feel less restrained, and express themselves more openly. So pervasive is the phenomenon that a term has surfaced for it: the online disinhibition effect. (Suler, 2004, p.321) • Suler, J. (2004). The online disinhibition effect. CyberPsychology & Behavior, 7(3), 321–326. • Photo from audience-731227/
  15. 15. Minimisation of status and authority • In the traditional philosophy of the internet there is no centralised control, everyone is equal, and its only purpose is sharing ideas • While online a person’s status in the face-to-face world may not be known to others and may not have as much impact. Authority figures express their status and power in their dress, body language, and in the trappings of their environmental settings. The absence of those cues in the text environments of cyberspace reduces the impact of their authority. (Suler, 2004, p. 324) • Suler, J. (2004). The online disinhibition effect. CyberPsychology & Behavior, 7(3), 321–326. • Photo from
  16. 16. Authority • Traditionally, society is built on a close relationship between authoritative texts and authority figures • Knowledge linked to power, not only assumes the authority of 'the truth' but has the power to make itself true. All knowledge, once applied in the real world, has effects, and in that sense at least, 'becomes true.' Knowledge, once used to regulate the conduct of others, entails constraint, regulation and the disciplining of practice. (Foucault,1977, p.27) • Foucault, M. (1977). Discipline and punish. London: Tavistock. • Photo from
  17. 17. Technological disruption • Web 2.0 has the power to radically change these knowledge and power relationships – “Wikipedia provokes divisive debates precisely because academics realise that Web 2.0 has the potential to radically transform pedagogic and research practices in higher education – and hence irrevocably change traditional academic power and authority arrangements.” Eijkman (2010, p. 182) • Eijkman, H. (2010). Academics and Wikipedia: Reframing Web 2.0 as a disruptor of traditional academic power-knowledge arrangements. Campus-Wide Information Systems. • Photo from the Opte Project
  18. 18. • How do leaderless networks work? Quote from a book on direct action, about the Occupy Wall Street Movement: – “Before long, people were organizing them everywhere. Someone came up with the theory that the result was a kind of global brain: the interconnections of communication are such that you can imagine people not just communicating but acting, and acting damn effectively, without leadership, a secretariat, without even formal information channels. It's a little like ants meeting in an ant-heap, all waving their antennae at each other, and information just gets around-even though there's no chain of command or even hierarchical information structure. Of course it would be impossible without the Internet.” (Graeber, 2009) • Graeber, D. (2009). Direct Action. An Ethnography. Oakland, CA: AK Press • Photo from Logo-with-Slogan-Perfect-Symmetry-408650529 As such...
  19. 19. • From • The Lao Tzu quote is reasonably accurate, and is from Chapter 17 of the Tao Te Ching. As such...
  20. 20. Photo from However, psychology evolves moreHowever, psychology evolves more slowly than technologyslowly than technology
  21. 21. • Photo from Social structures are pretty rigid too, particularly corporate ones
  22. 22. • And there are many other examples of where flattened organisations and leaderless environments run into trouble... • • So...
  23. 23. • monarch/article4478062/ And also...
  24. 24. • And Guido is only one example of several BDFLs in the tech industry. • While ICT allows for greater collaboration and leaderless networks, it also allows for greater accumulation and centralisation of power too. • It seems that ICT has bifurcated traditional power structures • And also...And also...
  25. 25. • There is an increasing tendency towards leaderless organisations, flattened hierarchies • But leaderless networks contradict centuries of human psychology and patently do not work, yet... • And furthermore, ICT allows for the accumulation of knowledge and hence centralisation of power • This is an important biting point for understanding the human factors in InfoSec • we cannot simply teach the facts of InfoSec compliance • it needs something more APPRECIATE CONTRADICTIONS
  26. 26. Leaderless networks Autocratic leadership Centralised knowledge Distributed knowledge
  27. 27. Information security consciousness • Developing information security consciousness in any context will require understanding and appreciation of these extremes while at the same time occupying a happy medium somewhere in the middle. Information security consciousness Leaderless networks Centralised knowledge Autocratic leadership Distributed knowledge
  28. 28. Millennial generation • Want to be involved and will have their own ideas, particularly about technology • Your younger employees will also be more likely to be on temporary contracts or internships and therefore most likely to become your insider threats • They probably won’t be given most up-to-date equipment either, and likely to operate BYOD, so are even more of a security risk. • Hence, understand and gain their security buy-in to security behaviours as a priority. • Photo from
  29. 29. Distributing power • Emphasis should be on delegation and empowerment of employees – “an autocratic stance inhibits effective information security and highlights ways that this is expressed by experienced Chief Information Security Officers through their use of discourse. They need to develop an identity within the organisation where they are seen to help employees discuss, and make decisions about, information security. The emphasis should be on delegation and empowerment of employees with an acceptance that, as a result, mistakes and errors may occur. (Ashenden & Sasse, 2013) • Ashenden, D., & Sasse, A. (2013). CISOs and organisational culture: Their own worst enemy? Computers and Security, 39(PART B), 396– 405. doi:10.1016/j.cose.2013.09.004 • Photo from 1316756
  30. 30. Empowering security • Select a champion – not necessarily a technical expert – but who can motivate and persuade – “The results of this study give credence to the role of a ‘champion’ within the organization, specifically alluding to the influence this person may have in motivating employees to engage in actions involving IT” (Johnston & Warkentin, 2010a) • Johnston, A. C., & Warkentin, M. (2010a). The Influence of Perceived Source Credibility on End User Attitudes and Intentions to Comply with Recommended IT Actions. Journal of Organizational and End User Computing, 22(3), 1–21. doi:10.4018/joeuc.2010070101 • Photo from
  31. 31. Persuasion • An infographic explaining Petty & Cacioppo’s (1986) elaboration likelihood model of persuasion from • Which route to persuasion do infosec managers usually have access to? • You think you have the top one, don’t you? • Unfortunately, if we’re honest, it’s likely to be the bottom one. • Which means that infosec content needs to be deeply emotional and repeated often • Petty, Richard E; Cacioppo, John T (1986). "The elaboration likelihood model of persuasion". Advances in experimental social psychology: 124–125.
  32. 32. Information security consciousness • What we is less: – policy – compliance – logic – reason – condescension • And more: – ideology – commitment – emotion – culture – belief • Information security consciousness needs to become part of an organisation’s culture, part of its practices – part of its employees loyalty to each other and to themselves. • There is an important growth point here for human resources also.
  33. 33. Mindfulness • Despite best efforts to educate employees on how to engage in secure behaviors with respect to the use of IS, security violations and breaches of security are still on the rise ... might not be a result of there not being enough training, but that the training that is being done is lacking in its effectiveness because it facilitates mindless type of learning... (Parrish & San Nicolas-Rocca, 2012) • Parrish, J. L., & San Nicolas-Rocca, T. (2012). Toward Better Decisions With Respect To Is Security: Integrating Mindfulness Into IS Security Training. In pre-ICIS workshop on Information Security and Privacy (SIGSEC) (pp. 12–15). Retrieved from • Photo from 1181519
  34. 34. Values • “...findings suggest that religiosity and values can play important roles in compliance in the domain of information security... Recognizing and appealing to these beliefs and values can help security managers encourage individuals to be more compliant with the policies set forth by their organization.” (Kelecha & Belanger, 2013) • Kelecha, B., & Belanger, F. (2013). Religiosity and Information Security Policy Compliance. AMCIS 2013 Proceedings. Retrieved from ntations/13 • Photo from key-840647/
  35. 35. Fear • appealing to fear does impact intention to comply with infosec, but the impact is not uniform – “....suggest that fear appeals do impact end user behavioral intentions to comply with recommended individual acts of security, but the impact is not uniform across all end users. It is determined in part by perceptions of self-efficacy, response efficacy, threat severity, and social influence.” (Johnston & Warkentin, 2010b) • Johnston, A. C., & Warkentin, M. (2010b). Fear Appeals and Information Security Behaviors: an Empirical Study. MIS Quarterly, 34(3), 549–A4. • Photo from safety-protection-869216/
  37. 37. Thank you! www: e: twitter: @cjamcmahon linkedin: @cjamcmahon #ISC2CONGRESSEMEA @CJAMCMAHON